On Tue, Jul 13, 2010 at 9:58 PM, Torsten Lodderstedt
<tors...@lodderstedt.net> wrote:
We plan to issue new refresh tokens for certain clients only (mobile, desktop),
it's part of the client-related policy. So the behavior for a particular client
is predictable.
Nice.
Would you be willing to expand on the current spec language a bit, to
explain the use cases, and offer more normative language about how
clients should handle refresh token exchange?
This is a cool feature, but the current language is kind of vague.
Cheers,
Brian
I'm not sure what you would like me to write. But let's get started:
We expected the clients to discard the old refresh token and to use the
newly issued refresh token instead. The old refresh tokens is revoked
instantly. Any attempt to use it afterwards is interpreted as a
potential misuse because the assumption would be that an adversary has
copied the token or cloned the device. The client should notify the user
of the problem and recommend him/her to check its application
authorizations (refresh tokens) in our user self care portal. There, the
user will have acces to information on when the token has been used the
last time and therewith detect any odd behavior. The user could then
revoke the token and/or alarm its providers helpdesk.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
